XSS exception at blogger

[maurix]

Since a few days I am getting the alert of "cross-site scripting" when editing my blog at blogger (https://draft.blogger.com).

I added the exception but it seems not working. The alert is still there-

Thanks

BTW. Now I am having problem also with google.it
If not solved I am forced to unistall noscript from all my macs

[barbaz]

I added the exception but it seems not working. The alert is still there-

What exception?

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

If not solved I am forced to unistall noscript from all my macs

Because of XSS alerts? No you are not. If you don't have time to troubleshoot, just go to NoScript Options > Advanced > XSS and un-check both boxes. Remember to enable them again when you're done.

[GagliaudO16]

Dear friends,

I have just read this post: viewtopic.php?f=7&t=23196

I have the same problem and I have tried to describe it there within the italian Mozilla Forum:
https://forum.mozillaitalia.org/index.p ... #msg479717

I am not familiar with regular expressions and I really do not know how to build an exception for Blogger.

This is what my console shows:

Code: Select all

channel.URI is undefined  WebRequest.jsm:834
Caricamento non riuscito per lo <script> con sorgente “https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js”.  blogger.g:12
L’utilizzo di Mutation Events è deprecato. Al suo posto utilizzare MutationObserver.  3652162377-ed__it.js:95:728
[NoScript InjectionChecker] JavaScript Injection in ///u/0/_/widget/render/autocomplete?origin=https://www.blogger.com&inparent=true&hl=it&source=wmtn:blogger&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#rpctoken=408019398&_methods=onstatechange,_ready,_close,_open,_resizeMe,_renderstart&id=I1_1502903908507&parent=https://www.blogger.com&pfname=
(function anonymous(
) {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://apis.google.com/u/0/_/widget/render/autocomplete?origin=https%3A%2F%2Fwww.blogger.com&inparent=true&hl=it&source=wmtn%3Ablogger&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#rpctoken=408019398&_methods=onstatechange%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart&id=I1_1502903908507&parent=https%3A%2F%2Fwww.blogger.com&pfname=] richiesto da [https://www.blogger.com/blogger.g?blogID=1806070156304911122#editor]. URL filtrato: [https://apis.google.com/#3149938400639374184].
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=30&hl=it&origin=https://www.blogger.com&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1502903910385&parent=https://www.blogger.com&pfname=&rpctoken=14374962
(function anonymous(
) {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://notifications.google.com/u/0/widget?sourceid=30&hl=it&origin=https%3A%2F%2Fwww.blogger.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1502903910385&parent=https%3A%2F%2Fwww.blogger.com&pfname=&rpctoken=14374962] richiesto da [https://www.blogger.com/blogger.g?blogID=1806070156304911122#editor]. URL filtrato: [https://notifications.google.com/#7649496606835314410].
Problema di sicurezza: i contenuti in https://www.google.it/?gfe_rd=cr&ei=Zn6UWZ4p5sZekaiB-Ac#7649496606835314410 non possono caricare dati da https://www.blogger.com/blogger.g?blogID=1806070156304911122#editor.
Load denied by X-Frame-Options: https://www.google.it/?gfe_rd=cr&ei=Zn6UWZ4p5sZekaiB-Ac#7649496606835314410 does not permit cross-origin framing.  (sconosciuto)

Is there anyone who can help me in building this exception for Blogger?

Thanks a lot for any help, Paolo from Italia.
---
Dear barbaz, thanks a lot for your patience, I am a newbie of this forum, sorry for the inconveniences.
Anyway, everything ok with Google and Blogger now with No Script 5.0.9

[maurix]

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

thanks
This part of the message copied from the consolle

Code: Select all

 
....... 
ReferenceError: $ is not defined
 memory:2357:1
[ABE WAN] Trying to detect WAN IP...
[ABE WAN] Detected WAN IP 82.84.163.219
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=30&hl=it&origin=https://draft.blogger.com&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1502916716420&parent=https://draft.blogger.com&pfname=&rpctoken=92543464
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://notifications.google.com/u/0/widget?sourceid=30&hl=it&origin=https%3A%2F%2Fdraft.blogger.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1502916716420&parent=https%3A%2F%2Fdraft.blogger.com&pfname=&rpctoken=92543464] richiesto da [https://draft.blogger.com/blogger.g?blogID=7973958946267130001]. URL filtrato: [https://notifications.google.com/#499448842847718232].
Problema di sicurezza: i contenuti in https://www.google.it/?gfe_rd=cr&ei=b7CUWZjEFszCXr2xg9gI#499448842847718232 non possono caricare dati da https://draft.blogger.com/blogger.g?blogID=7973958946267130001.
[NoScript InjectionChecker] JavaScript Injection in ///u/0/widget?sourceid=30&hl=it&origin=https://draft.blogger.com&uc=1&usegapi=1&jsh=m;/_/scs/abc-static/_/js/k=gapi.gapi.en.ellQXbSf-LI.O/m=__features__/am=AAg/rt=j/d=1/rs=AHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError,onInfo,hideNotificationWidget,postSharedMessage,reauth,setNotificationWidgetHeight,setNotificationWidgetSize,switchTo,navigateTo,setNotificationText,setNotificationAnimation,getNotificationText,validateUser,_ready&id=I0_1502916852031&parent=https://draft.blogger.com&pfname=&rpctoken=36546424
(function anonymous() {
_/scs/abc-static/_/js/k==gapi.gapi.en.ellQXbSf-LI.O/m==__features__
})
[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://notifications.google.com/u/0/widget?sourceid=30&hl=it&origin=https%3A%2F%2Fdraft.blogger.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.ellQXbSf-LI.O%2Fm%3D__features__%2Fam%3DAAg%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo9jm0At0b0B7I7G3MSvlepU00mZfA#pid=30&_methods=onError%2ConInfo%2ChideNotificationWidget%2CpostSharedMessage%2Creauth%2CsetNotificationWidgetHeight%2CsetNotificationWidgetSize%2CswitchTo%2CnavigateTo%2CsetNotificationText%2CsetNotificationAnimation%2CgetNotificationText%2CvalidateUser%2C_ready&id=I0_1502916852031&parent=https%3A%2F%2Fdraft.blogger.com&pfname=&rpctoken=36546424] richiesto da [https://draft.blogger.com/blogger.g?blogID=7973958946267130001#allposts]. URL filtrato: [https://notifications.google.com/#9747596518687717305].
Problema di sicurezza: i contenuti in https://www.google.it/?gfe_rd=cr&ei=97CUWeKEKMzCXr2xg9gI#9747596518687717305 non possono caricare dati da https://draft.blogger.com/blogger.g?blogID=7973958946267130001#allposts.
Load denied by X-Frame-Options: https://www.google.it/?gfe_rd=cr&ei=97CUWeKEKMzCXr2xg9gI#9747596518687717305 does not permit cross-origin framing. <sconosciuto>
OpenGL compositor Initialized Succesfully.
Version: 1.4 APPLE-1.6.36
Vendor: Intel Inc.
Renderer: Intel GMA 950 OpenGL Engine
FBO Texture Target: TEXTURE_2D

[barbaz]

Threads merged. GagliaudO16, please do not start duplicate threads, it makes it harder to address the issue at hand.

___

I think it's a false positive. There are two different exceptions you could make, pick only one.

If you trust that notifications.google.com won't be vulnerable to XSS, use this exception -

Code: Select all

^https://notifications\.google\.com/.*\?.*origin=https%3A%2F%2F(?:draft|www)\.blogger\.com&

Or if you rather trust that blogger.com won't XSS other sites -

Code: Select all

^@https://(?:draft|www)\.blogger\.com/blogger\.g?

Either one would go in NoScript Options > Advanced > XSS > Anti-XSS protection exceptions.

Does this help?

[maurix]

thanks, I'll add the exception rule in the early afternoon.

I don't know if this matters but I've just realized that I got the XSS alert if, and only if, I am logged to google (and therefore to Blogger). Meaning that if I open the page google.it as a guest (unlogged), everything is ok. In the very same moment I log in the XSS alert pops up.

[maurix]

Sorry to say that none of the exceptions works for google. Tried each of them alone or together and still, after restarting FF, I got the xss alert.
No prob with blogger.

Should I rename somehow the above instructions for Google?

[barbaz]

Sorry to say that none of the exceptions works for google. Tried each of them alone or together and still, after restarting FF, I got the xss alert.
No prob with blogger.

Should I rename somehow the above instructions for Google?

see https://forums.informaction.com/viewtop ... =7&t=23204

@mary7 please do not cross-post, it makes it harder to help you.

[barbaz]

Do you still need the XSS exceptions with NoScript latest development build 5.0.9rc2?

[maurix]

Do you still need the XSS exceptions with NoScript latest development build 5.0.9rc2?

Actually I don't know because now everything is working properly (I have add both the blogger and google.it exceptions to the XSS rule). I am still using 5.0.8.1 because it is the latest available for my FFox